-Re: Role label grammar
David Medinets 2012-08-13, 23:34
+1 for a pluggable solution. Put the complex stuff in contrib.
On Aug 13, 2012 4:31 PM, "Adam Fuchs" <[EMAIL PROTECTED]> wrote:
> There are a couple of ways to interpret this suggestion. One is that the
> syntax and semantics of the cell-level label attached to each key syntax be
> augmented, and the other is that the user authorization sets be augmented
> to include these concepts, both in the storage and in the scanning API.
> With respect to the former, I think that it complicates the grammar too
> much to add in range checking, and I'm not sure this is really what we want
> anyway. In the case of the time-windowed restriction for accessing an
> object, I would hypothesize that the bounds of the window are not
> necessarily calculable from only the object itself, but also require
> attributes of the user and policy. User attributes and policy can change
> independently of the object, so it makes sense to move that logic
> The other alternative interpretation that might fit the use case better is
> to give the user access to a particular authorization only for a particular
> time period. ACCUMULO-238 and ACCUMULO-259 would open up the ability to
> handle this type of thing at an external authorization-provider, rather
> than using the built-in, relatively static set of maximal authorizations
> that Accumulo supports out of the box. Also, it's not really necessary to
> extend the current authorization syntax, since we could just explicitly
> represent the time bounds in an extended API.
> On Mon, Aug 13, 2012 at 3:26 PM, Edmon Begoli <[EMAIL PROTECTED]> wrote:
> > Folks,
> > These are just some thoughts inspired by our discussion on user list
> > and the multi-level representation for labels.
> > What do you think if role labels could have embedded, interpretable,
> > simple micro-grammar structure
> > that if present could be used to augment the role label semantics with
> > additional meaning - e.g. place, time, relationship.
> > For example:
> > if regular label is followed by :
> > :read:4294967295 or read:4294967295-4294967312
> > this would mean that this role label is effective between these
> > We could further expand the grammar to include some of the simple and
> > easily verifiable conventions.
> > for instance label:
> > administrator@tn
> > could mean that this is a role of an administrator but effective only
> > for the state of Tennessee.
> > = could mean "is"
> > read=administrator@tn
> > Would indicate read privileges at the admin level at Tennessee.
> > --
> > Edmon